More Cyber-crime Advice for Obama

With President-elect Barack Obama readying to take the oath of office today, IT experts are lining up to offer their advice to the new Commander-In-Chief about what he needs to do to better address issues of cyber-security.

In December, a panel of security experts put together by the Center for Strategic and International Studies (CSIS) published a lengthy set of recommendations for the new administration dubbed "Securing Cyberspace in the 44th Presidency."

In a set of points issued by anti-botnet specialists FireEye, the company's CEO, Ashar Aziz, encourages the Obama administration to take many steps outlined in the CSIS paper, but also says the CSIS guidelines do not go far enough, or may not be sufficiently explicit.

"Critical government, military, and civilian networks have been repeatedly infiltrated to steal our intellectual property and national secrets. So, how do we build a modern, national cyber security policy as we enter into the 44th Presidency? The Center for Strategic and International Studies' report weighed in on this topic, but I think they missed the point in their technical recommendations," Aziz said in a blog post.

1. Create Cabinet-level Appointment - Create a Cabinet-level position and team to coordinate national efforts around cyber security. This cyber security team should conduct a comprehensive and immediate review of the state of cyber security for all Federal networks and computer systems.

2. Conduct a Federal Threat Assessment - NIST should create a high priority task force to review the technical requirements for both end point and network-based security to guard federal systems against the threat of stealthy malware and cyber crimes

3. Issue Presidential Mandate - All Federal government departments and agencies should be instructed to comply within one year to these NIST-developed anti-malware security standards.

4. Strengthen U.S. Cyber Military - There should be a review of the vulnerability of U.S. military's network to stealth malware attacks. The recent successful infiltration of malware into U.S. military systems around the world illustrates that military networks are quite vulnerable to malware attacks.

5. Protect Critical Infrastructure - Systems that control critical infrastructures, such as utilities, power grids, major financial services and stock trading systems should also be required to comply with these technical standards on protection from stealth malware cyber attacks.

6. Develop Certification Process - NIST should create a vendor neutral certification program to rate the ability of different vendors' products to protect from stealthy malware.

7. Bolster Cyber Law Enforcement - The President-elect should create an organization to actively combat cyber crime with much greater inclusion of cyber operations as an element of active cyber crime interdiction mechanisms.

8. Build Cyber Space Situational Awareness - The U.S. government should create a global cyber security situational awareness system to provide ongoing and real-time surveillance and insights into attacks in the cyber domain.

10. Involve Internet Service Providers - ISPs (and Network Service Providers) should be required to provide protections to consumers from the threat of malware infiltrations and associated cyber crimes.

Now, to my eye, these goals are pretty similar to those issued by the CSIS panel, and anyone who thinks they've scratched the surface on that report might want to check out its hundreds of pages of technical appendices, which get far more technical.

However, if Obama heeds the advice of CSIS, Aziz and others, we're sure to see a good deal of activity around cyber-security inside the White House over the next four years.

Based on what the research has been telling us for a long time, that would appear to be major step in helping law enforcers make inroads in fighting cyber-crime. Let's hope so.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.